Microsoft Exchange security vulnerabilities
DFi Service vous propose son retour d’expérience sur le plan d’action adopté pour ses clients, ses conseils et ses recommandations.
Over the last few days, numerous press releases have reported massive attacks on email servers worldwide. DFi Service offers you a review of the situation.
On 02/03/2021, Microsoft made public multiple vulnerabilities targeting Microsoft Exchange mail servers. Following this announcement, security patches were made available by Microsoft. These updates fix a chain of pre-authentication remote code execution (RCE) vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065) that allow attackers to compromise the servers.
Despite the measures undertaken, analyses by DFi and the various security organisations (CERT / CSIRT), have identified that these vulnerabilities were already being actively exploited (0days) well before the publication of patches by Microsoft.
Figure1. Chronology of events
In response to these risks, DFi Service decided to deploy a massive incident response plan for all managed customers, to cover the following aspects
- Identification of impacted servers
- Patching of vulnerable servers
- Identification of signs of compromise
- Cleaning up malicious files
These actions could be completed by DFi Service with more advanced analyses in order to identify a potential post-exploitation risk (forensic analyses) or by integrating advanced detection solutions (Security Operations Center, EDR, etc.)
In addition to the incident response plan, DFi Service has contacted all of its managed customers affected in order to propose recommendations adapted to the context, environment and architecture of the customer.
Recommendations and security principles :
To guarantee better protection of Exchange mail servers, DFi Service recommends applying the following best practices:
- Adopt the principle of secure architecture by design to avoid making the Exchange server directly accessible from the Internet:
- Set up a web application firewall (WAF) to filter and secure incoming web flows
- Implementation of an SMTP bastion to secure incoming and outgoing SMTP flows
- Set up a WEB bastion or proxy to filter outgoing web flows from the mail server
- Maintain and deploy patches on the entire information system
- Define an incident response policy, enabling the actions to be taken when major security incidents occur.
- Integrate advanced detection solutions:
- SIEM/SOC service to monitor the entire information system and provide real-time detection
- EDR Antivirus to increase security on workstations
- Define an appropriate backup and recovery strategy
- Define an incident response strategy to undertake the right actions
For all these principles, DFi Service can offer you customised support.